The California Consumer Privacy Act (CCPA) has had a big impact on businesses all over the world regarding how they handle consumer data, but its application is not universal. In many ways, the CCPA is not as all-encompassing as its EU counterpart, the General Data Protection Regulation (GDPR). Though this may lessen the overall burden on businesses as they become compliant, it can create some confusion about when the CCPA does and does not apply.
Here we’ll cover the most important situations where the CCPA doesn’t apply.
The first dividing line that determines whether the CCPA applies is the law’s definition of a “business,” because only businesses are required to be in compliance. Under the CCPA, a business is a for-profit entity that collects consumers’ personal information, does business in California, and meets at least one of these criteria:
Using this definition, the CCPA does not apply to many companies because they do not meet these threshold requirements. Also, because of the for-profit requirement, the CCPA does not apply to government entities or most nonprofits. Some nonprofits may still be bound by the data privacy law if they share common branding with and are controlled by a business to which the CCPA applies.
It doesn’t matter where a company is based out of; as long as it meets the CCPA’s definition of a business, it can be located on the other side of the world. However, the CCPA only protects California residents. A resident is any person who is in the state of California for more than a temporary or transitory purpose, or a person who is temporarily outside the state if their permanent domicile is in California.
For example, if a Los Angeles-based business collects and shares the personal information of a New York resident, the CCPA does not apply to that activity. Conversely, the CCPA does apply when a New York-based business collects the information of a Californian. Businesses should also take note that they cannot deny a CCPA privacy request just because it originated outside of California; if a person has their permanent home in California, they retain residency and their privacy rights even when they temporarily leave the state.
A key aspect of the CCPA is that it only applies to “personal information.” This term is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This can include everything from IP addresses to credit card numbers to geolocation data. As broad as this definition is, it doesn’t cover everything.
The biggest exception is that publicly available information is not personal information. “Publicly available” means the information was lawfully made available from federal, state, and local government records. Effective January 1, 2023, the California Privacy Rights Act (CPRA) adds two new types of publicly available information. The first is for “lawfully obtained, truthful information that is a matter of public concern.” This provides a necessary exemption for journalism. The other new category of publicly available information is information that is made widely available by the consumer or widely distributed media. This frees businesses to collect consumer information that is publicly shared on social networks.
The second exception is for deidentified or aggregate consumer information. This exception applies when it is not possible to link the information to a particular consumer or household. For example, if a business collects usage statistics on how many consumers visit their homepage, but these statistics can’t be used to identify individuals, it is not personal information and the CCPA does not apply.
When it comes to data protection and privacy, some industries are already regulated by state and federal law. The CCPA exempts data to which these laws apply, to avoid conflicting rules and obligations. These laws include:
The Health Insurance Portability and Accountability Act (HIPAA) – HIPAA typically relates to medical information, and already provides for the confidentiality and security of this data. The CCPA therefore does not apply to many healthcare providers and related businesses, at least to the extent the data collected is covered by HIPAA.
The Gramm-Leach-Bliley Act (GLBA) – The GLBA applies to banks and other financial institutions, and includes rules about how they must treat nonpublic personal information about their consumers. The CCPA does not apply to personal data that is already subject to the GLBA.
The Fair Credit Reporting Act (FCRA) – The FCRA deals with information that is collected and supplied to credit reporting agencies for the purpose of performing background checks. If the data is already covered by the FCRA, then the CCPA doesn’t apply.
Learn more about CCPA exemptions for HIPAA, the GLBA, and the FCRA.
The CCPA is a complex law, and its numerous rules and exceptions can be overwhelming for businesses looking for the simplest path to compliance. TrueVault Polaris is an automated CCPA compliance tool that takes all of these rules into account and guides your business step by step through the whole process.
Learn more about how TrueVault Polaris can get your business CCPA compliant in less time and at a lower cost. Contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.